Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Drag and Drop Multiple File Upload – Contact Form 7 by Unknown
CVE-2022-3282 (GCVE-0-2022-3282)
Vulnerability from nvd – Published: 2022-10-17 00:00 – Updated: 2025-05-13 15:47
VLAI?
Title
Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.5 , < 1.3.6.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T15:46:54.008807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:47:23.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.5",
"status": "affected",
"version": "1.3.6.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sanjay Das"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload \u003c 1.3.6.5 - File Upload Size Limit Bypass",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3282",
"datePublished": "2022-10-17T00:00:00.000Z",
"dateReserved": "2022-09-23T00:00:00.000Z",
"dateUpdated": "2025-05-13T15:47:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0595 (GCVE-0-2022-0595)
Vulnerability from nvd – Published: 2022-03-28 17:22 – Updated: 2024-08-02 23:32
VLAI?
Title
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.3 , < 1.3.6.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.3",
"status": "affected",
"version": "1.3.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon James Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-28T17:22:57.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0595",
"STATE": "PUBLIC",
"TITLE": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.3.6.3",
"version_value": "1.3.6.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon James Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2686614",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0595",
"datePublished": "2022-03-28T17:22:57.000Z",
"dateReserved": "2022-02-14T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:46.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3282 (GCVE-0-2022-3282)
Vulnerability from cvelistv5 – Published: 2022-10-17 00:00 – Updated: 2025-05-13 15:47
VLAI?
Title
Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.5 , < 1.3.6.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T15:46:54.008807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:47:23.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.5",
"status": "affected",
"version": "1.3.6.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sanjay Das"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload \u003c 1.3.6.5 - File Upload Size Limit Bypass",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3282",
"datePublished": "2022-10-17T00:00:00.000Z",
"dateReserved": "2022-09-23T00:00:00.000Z",
"dateUpdated": "2025-05-13T15:47:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0595 (GCVE-0-2022-0595)
Vulnerability from cvelistv5 – Published: 2022-03-28 17:22 – Updated: 2024-08-02 23:32
VLAI?
Title
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.3 , < 1.3.6.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.3",
"status": "affected",
"version": "1.3.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon James Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-28T17:22:57.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0595",
"STATE": "PUBLIC",
"TITLE": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.3.6.3",
"version_value": "1.3.6.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon James Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2686614",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0595",
"datePublished": "2022-03-28T17:22:57.000Z",
"dateReserved": "2022-02-14T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:46.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}